07d3885c26f6b485ab8b4283b04d53f58b64f6b43f4eb734658cc2a64c524d92

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMChameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	mbamservice.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mbamservice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mbamservice.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	_iu14D2N.tmp

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 13 IoCs

pid	Process
3024	7z2201.exe
216	7z.exe
4264	7z.exe
4640	rs.exe
3532	rs.tmp
5032	mbamservice.exe
2908	mbamservice.exe
1264	mbamtray.exe
4160	unins000.exe
3828	_iu14D2N.tmp
1200	MBAMWsc.exe
3784	mbamservice.exe
636	mbamwsc.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService	rs.tmp
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MBAMService\ = "Service"	rs.tmp

Loads dropped DLL 62 IoCs

pid	Process
216	7z.exe
4264	7z.exe
3532	rs.tmp
3532	rs.tmp
3532	rs.tmp
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
3828	_iu14D2N.tmp
2596	regsvr32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\R:	mbamservice.exe
File opened (read-only)	\??\V:	mbamservice.exe
File opened (read-only)	\??\A:	mbamservice.exe
File opened (read-only)	\??\H:	mbamservice.exe
File opened (read-only)	\??\J:	mbamservice.exe
File opened (read-only)	\??\K:	mbamservice.exe
File opened (read-only)	\??\L:	mbamservice.exe
File opened (read-only)	\??\O:	mbamservice.exe
File opened (read-only)	\??\Z:	mbamservice.exe
File opened (read-only)	\??\I:	mbamservice.exe
File opened (read-only)	\??\W:	mbamservice.exe
File opened (read-only)	\??\B:	mbamservice.exe
File opened (read-only)	\??\M:	mbamservice.exe
File opened (read-only)	\??\P:	mbamservice.exe
File opened (read-only)	\??\S:	mbamservice.exe
File opened (read-only)	\??\X:	mbamservice.exe
File opened (read-only)	\??\Y:	mbamservice.exe
File opened (read-only)	\??\E:	mbamservice.exe
File opened (read-only)	\??\G:	mbamservice.exe
File opened (read-only)	\??\N:	mbamservice.exe
File opened (read-only)	\??\Q:	mbamservice.exe
File opened (read-only)	\??\T:	mbamservice.exe
File opened (read-only)	\??\U:	mbamservice.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2792	powershell.exe
3604	powershell.exe
4636	powershell.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_C2C3D990B393462F0B24251F41DF0EF5	mbamservice.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	mbamservice.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_C2C3D990B393462F0B24251F41DF0EF5	mbamservice.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

discovery

Process Discovery

T1057

pid	Process
1152	Process not Found
4216	Process not Found
4140	Process not Found
4528	Process not Found
4320	tasklist.exe
1608	Process not Found
1960	tasklist.exe
3020	tasklist.exe
3184	tasklist.exe
2580	tasklist.exe
3224	tasklist.exe
4544	tasklist.exe
1812	Process not Found
764	tasklist.exe
4664	tasklist.exe
2152	tasklist.exe
4968	tasklist.exe
752	tasklist.exe
776	Process not Found
1892	tasklist.exe
3056	Process not Found
4696	Process not Found
4848	Process not Found
1952	tasklist.exe
1844	tasklist.exe
2060	tasklist.exe
2568	tasklist.exe
1588	Process not Found
3260	Process not Found
3380	Process not Found
2060	tasklist.exe
1620	tasklist.exe
2116	tasklist.exe
3012	tasklist.exe
740	tasklist.exe
3032	tasklist.exe
2008	tasklist.exe
1300	tasklist.exe
1520	Process not Found
824	Process not Found
4692	Process not Found
4148	tasklist.exe
3160	tasklist.exe
4936	tasklist.exe
60	tasklist.exe
3620	Process not Found
456	tasklist.exe
756	tasklist.exe
1748	Process not Found
3096	Process not Found
4752	tasklist.exe
3468	tasklist.exe
2936	tasklist.exe
1652	tasklist.exe
4820	tasklist.exe
2364	tasklist.exe
1288	tasklist.exe
2312	tasklist.exe
1820	tasklist.exe
2860	tasklist.exe
556	tasklist.exe
2668	tasklist.exe
4948	tasklist.exe
3656	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\is-R3VPJ.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\qml\is-UHPIG.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-7O3L0.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ky.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\nn.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\styles\is-NBTN5.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\is-2M93G.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\an.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mng.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-OB6U1.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-A79JL.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\it.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-I781B.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\fa.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\zh-cn.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\fy.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\readme.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-MDU2I.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.sys	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-QK2RN.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\History.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\eu.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ku-ckb.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\mbamchameleon.sys	mbamservice.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fr.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-7F7SC.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\imageformats\is-PUCQ4.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-D4OM3.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\hy.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\co.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-3IG25.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-3I4DO.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\mwac.sys	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQml\Models.2\is-HRBF3.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-031T5.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\es.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\is-7GOA9.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-RITEE.tmp	rs.tmp
File opened for modification	C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json	mbamservice.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-PFA31.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\ps.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\be.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sr-spl.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tt.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fa.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\is-1DV30.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\images\is-49C2D.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ar.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\hi.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\lv.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Qt\labs\settings\is-02P9M.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-EIC84.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\ar.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-78GE7.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-0PRTO.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ku-ckb.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Controls\Styles\Flat\is-H6UH6.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-G6UVO.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-5F5VA.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\7-zip.dll	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\is-P8K6N.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-KLM1I.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-2R9FK.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-NJ3TH.tmp	rs.tmp

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ELAMBKUP\MbamElam.sys	mbamservice.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	mbamservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rs.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbamtray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unins000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_iu14D2N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2201.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mbamservice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mbamservice.exe

Delays execution with timeout.exe 19 IoCs

evasion

pid	Process
2376	timeout.exe
1976	timeout.exe
4076	timeout.exe
4816	timeout.exe
3728	timeout.exe
5108	timeout.exe
4972	timeout.exe
4812	timeout.exe
2056	timeout.exe
3408	timeout.exe
2252	timeout.exe
4692	timeout.exe
1460	timeout.exe
2820	timeout.exe
1468	timeout.exe
2916	timeout.exe
728	timeout.exe
1292	timeout.exe
1416	timeout.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	rs.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	rs.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	rs.tmp

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mbamservice.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}\1.0\0\win64	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD6673C7-8E52-46EE-80B8-58F3FB6AA036}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7AEBAD20-B80A-427D-B7D5-D2983291132E}\TypeLib\Version = "1.0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0D8223D-D594-4147-BAD8-1E2B54ED1990}\ = "IUpdateControllerEvents"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EAB53395-8218-47FF-91B7-144994C0AD83}	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2446F405-83F0-460F-B837-F04540BB330C}\1.0\HELPDIR	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7F95C137-46FC-42FB-A66A-F0482F3C749C}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{783B187E-360F-419C-B6DA-592892764A01}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}\1.0	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D81C2A20-D03D-40D4-A371-A499633A2AD3}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{562B1FA7-13DE-40A1-8839-AB2C5FA3129C}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA484BC6-E101-4A87-AAF3-B468B3F2C6BB}\ = "IUpdateControllerV7"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61DF8ACF-EC61-4D69-A543-20EA450E1A84}\TypeLib\Version = "1.0"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9CFA1689-38D3-4AE9-B1E8-B039EB7AD988}\TypeLib\ = "{F5BCAC7E-75E7-4971-B3F3-B197A510F495}"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BD2053F-99D1-4C2B-8B45-635183A8F0BF}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0D8223D-D594-4147-BAD8-1E2B54ED1990}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\VersionIndependentProgID\ = "MB.UpdateController"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{620A01DD-16D2-4A83-B02C-E29BE38B3029}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCEFCD43-B934-4168-AE51-6FE07D3D0624}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE35F2CA-6335-49BA-8E86-F6E246CFCEA6}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78E69E6F-EC12-4B84-8431-1D68572C7A61}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4EA13DC-F9D2-4DB9-A19F-2B462FFC81F3}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ADCD8BEB-8924-4876-AE14-2438FF14FA17}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7DAEEB9-30B6-4AC4-BB74-7763C950D8EC}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F128CCB-D86F-4998-803A-7CD58474FE2C}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4AC5360-A581-42A7-8DD6-D63A5C3AA7F1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6357A98F-CE03-4C67-9410-00907FB21BC7}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79CAE9D0-99AA-4FEB-B6B1-1AC1A2D8F874}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\Version	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BFC6C7E6-8475-4F9B-AC56-AD22BECF91C4}\TypeLib\ = "{783B187E-360F-419C-B6DA-592892764A01}"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{783B187E-360F-419C-B6DA-592892764A01}\1.0	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EF16D72-5906-4045-86BC-16826F6212FE}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61964EBA-D9C0-4834-B01C-A6133F432BB1}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C85F3EB8-B099-4598-89C3-E33BAC2CE53D}\ = "IScanControllerEventsV2"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\VersionIndependentProgID	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{993A5C11-A9B8-41E9-9088-C5182B1F279A}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46AEAC9A-C091-4B63-926C-37CFBD9D244F}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9669A3D-81E8-46F6-A51E-815A0863D612}\TypeLib\Version = "1.0"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5091804-600E-4226-BF28-80ABFDF4AFAB}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BD2053F-99D1-4C2B-8B45-635183A8F0BF}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A10434E2-CAA7-48C4-9770-E9F215C51ECC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{566DC5CA-A3C4-4959-AB92-37606E12AAFF}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{783B187E-360F-419C-B6DA-592892764A01}\1.0\FLAGS	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4F3822FA-CCD5-4934-AB6D-3382B2F91DB9}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97DA9E74-558F-4085-AE41-6A82ED12D02C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{97DA9E74-558F-4085-AE41-6A82ED12D02C}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2E404A3-4E3F-4094-AE06-5E38D39B79AE}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79CAE9D0-99AA-4FEB-B6B1-1AC1A2D8F874}\ = "IUpdateControllerV5"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66328184-6592-46BE-B950-4FDA4417DF2E}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31BF2366-C6DB-49F1-96A5-8026B9DF4152}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F656FD9-2597-4587-8F05-781C11710867}\ = "_IScannerEventsV2"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A9108FB-A377-47EC-96E3-3CB8B1FB7272}\TypeLib\ = "{226C1698-A075-4315-BB5D-9C164A96ACE7}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.RTPController\CurVer	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3F656FD9-2597-4587-8F05-781C11710867}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.ArwController.1\CLSID	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C5B86F3-CEB8-44E3-9B83-6F6AF035E872}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0EB1521-C843-47D5-88D2-5449A2F5F40B}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9669A3D-81E8-46F6-A51E-815A0863D612}\TypeLib\ = "{2446F405-83F0-460F-B837-F04540BB330C}"	mbamservice.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df0030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4740f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc250f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SPC\CTLs	mbamservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	mbamservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SPC\CRLs	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a80300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df020000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a80300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc32000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\SPC	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SPC\Certificates	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mbamservice.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1264	mbamtray.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2792	powershell.exe
2792	powershell.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
3604	powershell.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
1264	mbamtray.exe
1264	mbamtray.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
2908	mbamservice.exe
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
2908	mbamservice.exe
2908	mbamservice.exe
4612	WMIC.exe
4612	WMIC.exe
4612	WMIC.exe
4612	WMIC.exe

Suspicious behavior: LoadsDriver 9 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	216	7z.exe
Token: 35	216	7z.exe
Token: SeSecurityPrivilege	216	7z.exe
Token: SeSecurityPrivilege	216	7z.exe
Token: SeRestorePrivilege	4264	7z.exe
Token: 35	4264	7z.exe
Token: SeSecurityPrivilege	4264	7z.exe
Token: SeSecurityPrivilege	4264	7z.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: 33	5032	mbamservice.exe
Token: SeIncBasePriorityPrivilege	5032	mbamservice.exe
Token: 33	2908	mbamservice.exe
Token: SeIncBasePriorityPrivilege	2908	mbamservice.exe
Token: SeRestorePrivilege	2908	mbamservice.exe
Token: SeTakeOwnershipPrivilege	2908	mbamservice.exe
Token: SeRestorePrivilege	2908	mbamservice.exe
Token: SeBackupPrivilege	2908	mbamservice.exe
Token: SeRestorePrivilege	2908	mbamservice.exe
Token: SeTakeOwnershipPrivilege	2908	mbamservice.exe
Token: SeRestorePrivilege	2908	mbamservice.exe
Token: SeBackupPrivilege	2908	mbamservice.exe
Token: SeRestorePrivilege	2908	mbamservice.exe
Token: SeBackupPrivilege	2908	mbamservice.exe
Token: SeAssignPrimaryTokenPrivilege	2908	mbamservice.exe
Token: SeIncreaseQuotaPrivilege	2908	mbamservice.exe
Token: SeSecurityPrivilege	2908	mbamservice.exe
Token: SeTakeOwnershipPrivilege	2908	mbamservice.exe
Token: SeLoadDriverPrivilege	2908	mbamservice.exe
Token: SeSystemtimePrivilege	2908	mbamservice.exe
Token: SeBackupPrivilege	2908	mbamservice.exe
Token: SeRestorePrivilege	2908	mbamservice.exe
Token: SeShutdownPrivilege	2908	mbamservice.exe
Token: SeSystemEnvironmentPrivilege	2908	mbamservice.exe
Token: SeUndockPrivilege	2908	mbamservice.exe
Token: SeManageVolumePrivilege	2908	mbamservice.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeSecurityPrivilege	2908	mbamservice.exe
Token: SeSecurityPrivilege	2908	mbamservice.exe
Token: 33	3784	mbamservice.exe
Token: SeIncBasePriorityPrivilege	3784	mbamservice.exe
Token: SeIncreaseQuotaPrivilege	4612	WMIC.exe
Token: SeSecurityPrivilege	4612	WMIC.exe
Token: SeTakeOwnershipPrivilege	4612	WMIC.exe
Token: SeLoadDriverPrivilege	4612	WMIC.exe
Token: SeSystemProfilePrivilege	4612	WMIC.exe
Token: SeSystemtimePrivilege	4612	WMIC.exe
Token: SeProfSingleProcessPrivilege	4612	WMIC.exe
Token: SeIncBasePriorityPrivilege	4612	WMIC.exe
Token: SeCreatePagefilePrivilege	4612	WMIC.exe
Token: SeBackupPrivilege	4612	WMIC.exe
Token: SeRestorePrivilege	4612	WMIC.exe
Token: SeShutdownPrivilege	4612	WMIC.exe
Token: SeDebugPrivilege	4612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4612	WMIC.exe
Token: SeRemoteShutdownPrivilege	4612	WMIC.exe
Token: SeUndockPrivilege	4612	WMIC.exe
Token: SeManageVolumePrivilege	4612	WMIC.exe
Token: 33	4612	WMIC.exe
Token: 34	4612	WMIC.exe
Token: 35	4612	WMIC.exe
Token: 36	4612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4612	WMIC.exe
Token: SeSecurityPrivilege	4612	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3532	rs.tmp
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
3828	_iu14D2N.tmp

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe
1264	mbamtray.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 2008	3440	Patch_MB_5.x.exe	82
PID 3440 wrote to memory of 2008	3440	Patch_MB_5.x.exe	82
PID 2008 wrote to memory of 3024	2008	cmd.exe	84
PID 2008 wrote to memory of 3024	2008	cmd.exe	84
PID 2008 wrote to memory of 3024	2008	cmd.exe	84
PID 2008 wrote to memory of 1480	2008	cmd.exe	85
PID 2008 wrote to memory of 1480	2008	cmd.exe	85
PID 2008 wrote to memory of 3700	2008	cmd.exe	86
PID 2008 wrote to memory of 3700	2008	cmd.exe	86
PID 3700 wrote to memory of 1532	3700	cmd.exe	87
PID 3700 wrote to memory of 1532	3700	cmd.exe	87
PID 2008 wrote to memory of 1748	2008	cmd.exe	88
PID 2008 wrote to memory of 1748	2008	cmd.exe	88
PID 1748 wrote to memory of 2916	1748	cmd.exe	89
PID 1748 wrote to memory of 2916	1748	cmd.exe	89
PID 2008 wrote to memory of 968	2008	cmd.exe	90
PID 2008 wrote to memory of 968	2008	cmd.exe	90
PID 2008 wrote to memory of 216	2008	cmd.exe	92
PID 2008 wrote to memory of 216	2008	cmd.exe	92
PID 2008 wrote to memory of 216	2008	cmd.exe	92
PID 968 wrote to memory of 1696	968	cmd.exe	93
PID 968 wrote to memory of 1696	968	cmd.exe	93
PID 2008 wrote to memory of 4264	2008	cmd.exe	94
PID 2008 wrote to memory of 4264	2008	cmd.exe	94
PID 2008 wrote to memory of 4264	2008	cmd.exe	94
PID 968 wrote to memory of 4212	968	cmd.exe	95
PID 968 wrote to memory of 4212	968	cmd.exe	95
PID 968 wrote to memory of 788	968	cmd.exe	96
PID 968 wrote to memory of 788	968	cmd.exe	96
PID 968 wrote to memory of 3016	968	cmd.exe	97
PID 968 wrote to memory of 3016	968	cmd.exe	97
PID 968 wrote to memory of 2408	968	cmd.exe	98
PID 968 wrote to memory of 2408	968	cmd.exe	98
PID 2408 wrote to memory of 3148	2408	cmd.exe	99
PID 2408 wrote to memory of 3148	2408	cmd.exe	99
PID 2408 wrote to memory of 2272	2408	cmd.exe	100
PID 2408 wrote to memory of 2272	2408	cmd.exe	100
PID 968 wrote to memory of 4076	968	cmd.exe	101
PID 968 wrote to memory of 4076	968	cmd.exe	101
PID 2008 wrote to memory of 2792	2008	cmd.exe	102
PID 2008 wrote to memory of 2792	2008	cmd.exe	102
PID 2008 wrote to memory of 3604	2008	cmd.exe	103
PID 2008 wrote to memory of 3604	2008	cmd.exe	103
PID 3604 wrote to memory of 4640	3604	powershell.exe	104
PID 3604 wrote to memory of 4640	3604	powershell.exe	104
PID 3604 wrote to memory of 4640	3604	powershell.exe	104
PID 4640 wrote to memory of 3532	4640	rs.exe	105
PID 4640 wrote to memory of 3532	4640	rs.exe	105
PID 4640 wrote to memory of 3532	4640	rs.exe	105
PID 968 wrote to memory of 728	968	cmd.exe	108
PID 968 wrote to memory of 728	968	cmd.exe	108
PID 3532 wrote to memory of 1468	3532	rs.tmp	109
PID 3532 wrote to memory of 1468	3532	rs.tmp	109
PID 3532 wrote to memory of 2088	3532	rs.tmp	111
PID 3532 wrote to memory of 2088	3532	rs.tmp	111
PID 3532 wrote to memory of 5032	3532	rs.tmp	113
PID 3532 wrote to memory of 5032	3532	rs.tmp	113
PID 968 wrote to memory of 4692	968	cmd.exe	116
PID 968 wrote to memory of 4692	968	cmd.exe	116
PID 2908 wrote to memory of 1264	2908	mbamservice.exe	117
PID 2908 wrote to memory of 1264	2908	mbamservice.exe	117
PID 2908 wrote to memory of 1264	2908	mbamservice.exe	117
PID 968 wrote to memory of 4816	968	cmd.exe	118
PID 968 wrote to memory of 4816	968	cmd.exe	118

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1480	attrib.exe
3400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\install\Patch\Patch_MB_5.x.exe
"C:\Users\Admin\AppData\Local\Temp\install\Patch\Patch_MB_5.x.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0GDFD3BJ.bat" "C:\Users\Admin\AppData\Local\Temp\install\Patch\Patch_MB_5.x.exe""
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\qbE576C27.C3\7z2201.exe
    "C:\Users\Admin\AppData\Local\Temp\qbE576C27.C3\7z2201.exe" /S
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3024
- - C:\Windows\system32\attrib.exe
    attrib -r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c findstr "keystone" "C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\system32\findstr.exe
      findstr "keystone" "C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c findstr "holocron" "C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\system32\findstr.exe
      findstr "holocron" "C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\pb.cmd"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\system32\mode.com
      mode con:cols=86 lines=36
      4⤵
      PID:1696
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4212
  - - C:\Windows\system32\mode.com
      mode 70,4
      4⤵
      PID:788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy/Z "C:\Users\Admin\AppData\Local\Temp\pb.cmd" nul
      4⤵
      PID:3016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $H|cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $H"
        5⤵
        
        PID:3148
    - - C:\Windows\system32\cmd.exe
        
        cmd
        5⤵
        
        PID:2272
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:4076
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:728
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:4692
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:4816
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:2056
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:3728
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:2252
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:1460
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:1292
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:1416
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:2820
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:5108
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:1468
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:2376
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:2916
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:4972
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:1976
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:4812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2108
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3540
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:60
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4704
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2012
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1316
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1868
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4628
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1452
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4664
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1748
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4516
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2924
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4824
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2900
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4160
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3892
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3068
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:216
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:456
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2760
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4420
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4928
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2032
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:5040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3052
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3096
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1056
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2912
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4156
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2852
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2056
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3020
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1392
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1888
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4652
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2796
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2344
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5112
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1680
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2860
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3184
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2296
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:756
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4344
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4320
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3548
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3836
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3488
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1308
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2792
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3352
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2668
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1240
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4480
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1536
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4184
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4948
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1028
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3112
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1596
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1592
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1916
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4884
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4280
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3096
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1056
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2912
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4156
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2852
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2056
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3020
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1392
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1888
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4652
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2796
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2344
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5112
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1680
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2860
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3184
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2296
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:756
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4944
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4508
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1060
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4788
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4148
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1244
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4692
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2556
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3772
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4624
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2408
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1304
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1960
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4856
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:764
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4072
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4924
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4468
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4584
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4520
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:988
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1752
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3504
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2820
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:844
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1228
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1468
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:520
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5080
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4496
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2396
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4972
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:476
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3012
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:5112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4640
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4696
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:60
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1624
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2012
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1316
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1868
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4628
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1452
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1608
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1308
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2792
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4444
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:400
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4724
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3828
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4600
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1844
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4184
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4948
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1028
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3112
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1596
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1592
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3440
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4884
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4280
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3096
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4492
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2912
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4156
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3188
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3312
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1048
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3776
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2916
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2308
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2480
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:824
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5044
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:5112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4776
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4092
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3680
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4796
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4416
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4452
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4080
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2232
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1352
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1284
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3368
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4656
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3792
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4840
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4636
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2944
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4612
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4680
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:772
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2760
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4420
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2864
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4684
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1916
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2168
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1760
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3608
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:728
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3152
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2248
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4560
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2744
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:776
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5080
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4496
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3140
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3768
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3740
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3012
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:5112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4640
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4696
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:60
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2124
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2584
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4344
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4320
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3548
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1452
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1608
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1308
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2792
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:852
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2460
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4716
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3728
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:216
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:456
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:864
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2568
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1952
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4616
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:740
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2712
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:708
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3524
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4976
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:460
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4548
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2828
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1012
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4264
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2744
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:776
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5080
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4496
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3140
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3768
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3740
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3012
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4640
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4696
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:60
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2124
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2584
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4628
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2232
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3724
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3684
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3308
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:404
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3352
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2668
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1240
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2656
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4480
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:928
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1956
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2420
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1288
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3224
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3400
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3044
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1928
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4752
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2936
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1776
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4316
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:240
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1756
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2852
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2056
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2200
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3256
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2916
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2308
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2480
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1180
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4744
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1404
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4484
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4528
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2392
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4416
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2236
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3032
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3784
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3580
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1284
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4868
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1244
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1192
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1996
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:464
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3068
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3040
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1844
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2332
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4948
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4536
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3408
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:396
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1924
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4872
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1448
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3144
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2576
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3152
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4960
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4560
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3592
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2376
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1048
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3776
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5080
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4496
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3556
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2480
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1180
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4744
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3276
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2284
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2580
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2392
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4416
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2132
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1388
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3032
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:732
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2924
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1476
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1152
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1628
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3480
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1332
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4372
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2280
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2760
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4804
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3112
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1596
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4128
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2664
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1416
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3608
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:728
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1532
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2432
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1228
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4216
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3312
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2484
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2396
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:972
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2344
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3260
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3140
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4936
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1988
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4776
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4484
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4704
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:60
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2136
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2208
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2728
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3784
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3848
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:472
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3228
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4444
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2024
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2228
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3068
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1376
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1304
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4072
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2508
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4924
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4228
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1196
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3524
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4976
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:460
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2148
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4492
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4316
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2272
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4264
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2744
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:548
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:776
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4652
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2796
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5020
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3472
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2548
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5044
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2108
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3184
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4528
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4076
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4344
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1188
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1908
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1452
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4788
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1748
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4824
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4188
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:400
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3892
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4020
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1620
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3700
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1960
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2864
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:740
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4584
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4520
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1032
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1416
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3144
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:728
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3152
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4960
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4648
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2852
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2056
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2200
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3776
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2868
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4496
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2796
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5020
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3472
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2548
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:5044
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2108
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3184
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4528
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4076
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4344
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3816
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3488
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2924
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:640
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3792
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4580
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3116
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3952
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4184
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4880
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4856
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4948
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:764
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1952
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2000
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4520
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1032
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1416
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2148
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4492
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1756
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1012
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3592
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2376
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3640
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1392
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2788
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1464
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:1264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2796
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3740
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4812
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3412
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:3236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2312
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:2296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1316
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:60
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:556
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        
        PID:4416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2208
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4820
- - C:\Program Files (x86)\7-Zip\7z.exe
    "C:\Program Files (x86)\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\qbE576C27.C3\ck.7z" -o"C:\ProgramData" -pdgdfgdfDFGfddjfhjdrkhg7tgjfhjdjhgsg -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- - C:\Program Files (x86)\7-Zip\7z.exe
    "C:\Program Files (x86)\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\qbE576C27.C3\rs.7z" -o"C:\Users\Admin\AppData\Local\Temp" -pgfdgdfgdfgdfgFGDgfkjfhdjgy6dufdg -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start-process -FilePath 'C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe' -ArgumentList '/VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-' -NoNewWindow -Wait
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start-process -FilePath 'C:\Users\Admin\AppData\Local\Temp\rs.exe' -ArgumentList '/VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-' -NoNewWindow -Wait
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\rs.exe
      "C:\Users\Admin\AppData\Local\Temp\rs.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\is-5T71U.tmp\rs.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5T71U.tmp\rs.tmp" /SL5="$60228,63820596,239616,C:\Users\Admin\AppData\Local\Temp\rs.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Loads dropped DLL
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3532
      - C:\Windows\system32\certutil.exe
        
        "certutil.exe" -f -addStore root "C:\Users\Admin\AppData\Local\Temp\is-E875U.tmp\BaltimoreCyberTrustRoot.crt"
        6⤵
        
        PID:1468
      - C:\Windows\system32\certutil.exe
        
        "certutil.exe" -f -addStore root "C:\Users\Admin\AppData\Local\Temp\is-E875U.tmp\DigiCertEVRoot.crt"
        6⤵
        
        PID:2088
      - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe" /service /Protected
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:3408
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\ProgramData\tl"
    3⤵
    - Views/modifies file attributes
    PID:3400
- - C:\Windows\system32\xcopy.exe
    xcopy /C /H /Q /R /Y "C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json" "C:\ProgramData\tl"
    3⤵
    PID:4228
- - C:\Windows\system32\xcopy.exe
    xcopy /C /H /Q /R /Y "C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json" "C:\ProgramData\tl"
    3⤵
    PID:1032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start-process -FilePath 'C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe' -ArgumentList '/VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-' -NoNewWindow -Wait
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
  - - C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe
      "C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4160
    - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe" /FIRSTPHASEWND=$E0064 /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:3828
      - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe" /unregserver
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
      - C:\Program Files\Malwarebytes\Anti-Malware\mbamwsc.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamwsc.exe" /uninstall
        6⤵
        Executes dropped EXE
        
        PID:636
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll"
        6⤵
        Loads dropped DLL
        
        PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path win32_LocalTime Get Day,Month,Year /value
    3⤵
    PID:408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_LocalTime Get Day,Month,Year /value
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
    3⤵
    PID:1696
  - - C:\Windows\system32\tasklist.exe
      tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
      4⤵
      PID:4072
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
    3⤵
    PID:4752
- - C:\Windows\system32\reg.exe
    reg Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
    3⤵
    PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
    3⤵
    PID:4928
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
      4⤵
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
    3⤵
    PID:1592
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
      4⤵
      PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemManufacturer"
    3⤵
    PID:4684
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemManufacturer"
      4⤵
      PID:4584

C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1264
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 1 /status off true /updatesubstatus none /scansubstatus recommended /settingssubstatus none
  2⤵
  - Executes dropped EXE
  PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery